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© Virtual input/output commands. 

© The apparatus provides a secure input/output 
command system by the operating system generat- 
ing a virtual input/output command including a virtual 
channel number, verifying that the user has au- 
thorization to access the processes and the devices, 
and then generating a physical input/output com- 
<\|mand for transfer over a system bus to the device 
^addressed by the physical channel number included 

^ t in the command. 
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VIRTUAL INPUT/OUTPUT COMMANDS 



Scope of the Invention 

This invention relates generally to the data 
processing field, and more particularly to the ap- 
paratus for providing a more secure input/output 
(I/O) system. 



the virtual I/O command system. 

The SCOMP system also stores the processes 
in. privileged rings in memory for security reasons 
and uses virtual addressing. But SCOMP also takes 
advantage of the protection afforded by using the 
virtual I/O command system. However SCOMP in- 
cludes separate logic boards for performing the 
virtual I/O to physical I/O translation. 



Description of the Prior Art 

Protection is required of data processing sys- 
tems to separate multiple users from each other, 
and users from the operating system. Protection 
refers to a mechanism for controlling the access of 
programs, processes, or users to the resources of 
a computer system. Protection is basically an inter- 
nal problem— the requirement of controlling access 
to programs and data stored in a computer system. 

Computer security requires an adequate pro- 
tection system and also consideration of the exter- 
nal environment the computer is to be operated in. 
Security is the mediation of access by subjects 
within a computer system to objects based upon a 
policy that the system is enforcing. Assurance is a 
measure of confidence that the integrity of a sys- 
tem and its data will be preserved. 

Secure systems should possess certain capa- 
bilities such as: 

1. Access Control - People/objects attempt- 
ing to access computers can be positively and 
reliably identified. 

2. Process Control Integrity 
Persons/objects will be restricted to particular func- 
tions and separation of users must be assured. 

3. Violations of system security can be de- 
tected. 

4. Messages between users and the com- 
puter can be kept secret and tamper-proof. 

5. Hardware and software can be made 
tamper-proof. 

6. Systems can be designed with high re- 
liability. 

Many of these capabilities are found in other 
computing systems, typically the Multics * system 
in use at Massachusetts Institute of Technology 
and the Honeywell Secure Communications Pro- 
cessor (SCOMP). 

Multics stores the processes in privileged rings 
in memory for security reasons and uses virtual 
addressing. However the Multics system does not 
take advantage of the protection afforded by using 
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OBJECTS OF THE INVENTION 



Accordingly it is an object of this invention to 
75 provide a data processing system having an im- 
proved security input/output (I/O) command system 
that is less costly to implement and has an im- 
proved throughput. 

This invention is pointed out with particularity 
20 in the appended claims. An understanding of the 
above and further objects and advantages of this 
invention can be obtained by referring to the follow- 
ing description taken in conjunction with the draw- 
ings. 

25 

DESCRIPTION OF THE DRAWINGS 



30 The manner in which the method of the 

present invention is performed and the manner in 
which the apparatus of the present invention is 
constructed and its mode of operation can best be 
understood in the light of the following detailed 

35 description together with the accompanying draw- 
ings in which like reference numbers identify like 
elements in the several figures and in which: 

Figure 1 is an overall block diagram of a 
data processing system. 

40 Figures 2A through 2E show the format of 

the input/output commands. 

Figure 3 is a partial block diagram of the 
virtual memory management and central process- 
ing unit. 

45 Figure 4 is a block diagram of the register 

and tables of the secure input/output system. 

Figure 5 is a flow diagram of the virtual 
input/output firmware implementation. 

50 
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SUMMARY OF THE INVENTION 

This invention provides multilevel security with- 
in a computer system of input/output (I/O) com- 
mands sent over a system bus to peripheral de- 
vices. 

An I/O command sent over the system bus 
includes a physical channel number identifying the 
device and a function code which specifies the 
function the device will perform. The operating 
system generates a virtual I/O command which 
includes a ring number, a virtual channel number 
and the function code. 

Firmware performs a number of checks on the 
N virtual I/O command before translating the virtual 
channel number to the physical channel number. 
These checks which are made before the physical 
I/O command is generated include: 

a . verifying that the user is privileged to 
access the process, 

b - verifying that the IOLD buffer is within a 
2KB limit, 

c - verifying that the descriptors are valid 
and that the user is permitted access to the device, • 

d - verifying the virtual channel number loca- 
tion of the I/O descriptor against the size of the 
page table containing the descriptor, and 

e - verifying the IOLD data buffer is marked 
as an IOLD buffer by the system software. 

This is accomplished by the firmware which 
accesses a reserved portion of a control store 
using a number of registers and tables to perform 
the verification and translation of virtual address to 
physical address. 

The operating system generates a tree of 
memory descriptors and device descriptors and 
stores a pointer to this data structure information in 
a descriptor segment base register. The informa- 
tion specifies the base address of a descriptor 
segment page table. A value of the high order bit 
of the virtual channel number is used to determine 
the constant to be added to the base address to 
give the physical memory address of I/O page 
- descriptor words. The I/O page descriptor includes 
a validity bit, the size of the I/O descriptor table 
and the base address of the I/O descriptor table. 
The virtual channel number is added to the base 
address as an index to the I/O descriptor. 

The I/O descriptor includes a validity bit a read 
or a write permission bit, ring bracket bits, and a 
physical channel number. The firmware checks the 
validity bit, verifies that the virtual I/O command 
calls for the proper read or write operation, verifies 
the ring bracket bits against the virtual I/O com- 
mand ring number. If all of these checks perform 
correctly, then the physical channel number re- 
places the virtual channel number in the command 



and the physical I/O command is sent out over the 
system bus. 

There is a descriptor segment page table and 
an I/O descriptor table for each user. This enables 
5 the operating system to readily change the privi- 
leges of a user. 

DESCRIPTION OF THE PREFERRED EMBODI- 
io MENT 



Figure 1 shows a multiprocessing system, 
which includes a number of subsystems, each 

75 coupled to an asychronous system bus 2 by a 
separate interface. 

These subsystems include a central subsystem 
(CSS) 4 coupled to system bus 2 by system bus 
interface (SB!) 2-10 and a CSS 4A coupled to 

20 system bus 2 by SBI 2-1 OA. Only two CSS's are 
shown, however any number of CSS's may be 
coupled to system bus 2 by their respective inter- 
faces. Each of the SBPs include bus interface logic 
circuits of the type disclosed in Rgure 9 of U.S. 

25 Patent No. 3,995,258. 

Also coupled to system bus 2 via an SBI 2-8 is 
a system management facility (SMF) 20. A mem- 
ory sybsystem 8 is coupled to system bus 2 by a 
SBI 2-2. A number .of peripheral controllers 14, 

30 typically, a disk controller, a unit record controller, 
a magnetic tape controller, a communications con- 
troller and the like may be coupled to system bus 
2 by their respective SBI's, similar to SBI 2-4. Each 
peripheral controller 14 has coupled to it a number 

35 of appropriate devices 18. 

Each CSS includes a cache, a control store, 
two central processor units (CPU) and their respec- 
tive virtual memory management units (VMMU). 
CSS 4 includes a CPU 0 4-2, with its VMMU 0 4-8, 

40 a CPU 1 4-4 with its VMMU 14-10, a control store 
4-12 and a cache 4-6. Although a CSS having dual 
CPU's is disclosed, it is understood that the inven- 
tion may be incorporated in a system having a 
single CPU. 

45 All communications between subsystems is ac- 

complished by one subsystem sending out a com- 
mand on system bus 2 and receiving a response 
from the addressed subsystem. 

SMF 20 controls the initialization of system 1, 

so as well as the monitoring of a number of system 
and environmental functions. SMF 20 includes a 
watchdog timer and a real time, clock which are set 
by commands received by SMF 20 and from sys- 
tem bus 2 from one of the CPU'S. The SMF 20 

55 responds when the watchdog timer has decremen- 
ted to zero by sending a corresponding command 
over system bus 2 to the CPU that initially sets the 
clock, in addition the SMF 20 monitors the power 
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and temperature and alerts the subsystems if the 
power or temperature exceed predetermined limits. 
The SMF 20 operation is described in application 
Serial No. 869,164 entitled "System Management 
Apparatus for a Multiprocessor System". 

The system supports both physical addresses 
and virtual addresses. Most software visible ad- 
dresses are virtual addresses. The VMMU will 
translate the virtual addresses to physical address- 
es. The physical addresses are used by the CPU 
to address cache or memory. For example CPU 0 
4-2 will send a virtual address to VMMU 0 4-8 over 
the bus BP 38. VMMU 0 will translate the virtual 
address to a physical address and send the phys- 
ical address to cache 4-6 and memory 8 via a bus 
PA 39. If the contents of the physical address is 
stored in cache 4-6, then it will be sent imme- 
diately back to CPU 0 4-2, otherwise the command 
containing the physical address is sent to memory 
8 via SBl 2-10, system bus 2 and SBI 2-2. The 
contents of the physical address location will be 
sent back to the CPU 0 4-2 via SBI 2-2, system 
bus 2 and SBI 2-10 by a response command. 

A security kernel, consisting of operating sys- 
tem software, CPU and VMMU hardware, and vir- 
tual I/O processing is the implementation of a refer- 
ence monitor for the secure DPS6 PLUS product. 
The reference monitor is an abstract concept that 
must meet three security requirements. These are: 

1. Complete mediation of subjects to ob- 
jects, 

2. Isolation, and 

3. Verification. 

The complete mediation aspect is met by the 
Virtual Memory Management Unit which mediates 
all requests to memory. This mediation procedure 
also includes access permission checking. The vir- 
tual I/O firmware is also part of this requirement- Ail 
I/O commands are virtual and are allowed on the 
basis of certain access permissions and checking 
procedures. 

The isolation aspect is met by the use of a 
hardware ring structure that separates security and 
system processing from user application process- 
ing. This feature is also enforced by the underlying 
hardware and firmware which compares the domain 
of execution with permissions allowed and con- 
tained in descriptor data structures. 

The verification aspect is met by the genera- 
tion of a formal top level specification which is 
compared to and verified with a formal or informal 
mathematical model of the security policy to be 
enforced. The model used is dependent upon the 
certification level being sought as described in the 
"Trusted Computer Security Evaluation Criteria" 
(DOD 5200.28-STD - December 1985). 

I/O commands generated by the operating sys- 
tem include a virtual channel number and a ring 



number. The firmware verifies the ring number and 
the validity of the command, and in conjunction 
with an I/O Descriptor Table stored in memory 8 
translates the virtual channel number to the phys- 

5 ical channel number. The I/O command which in- 
cludes the physical channel number is sent out 
over system bus 2. The peripheral subsystem rec- 
ognizing its physical channel number acknowl- 
edges the acceptance of the command and per- 

io forms the operation specified by the function code 
portion of the command. 

All of the CPU and VMMU operations are con- 
trolled by selected bits of control store words read 
out from control store 4-12. Control store 4-12 is 

is divided into an A portion for controlling normal CSS 
operation including virtual address to physical ad- 
dress translation, and a B portion for controlling the 
implementation of the virtual I/O within the existing 
virtual memory system. 

20 Virtual I/O processing provides security by sep- 

arating the system 1 resources from the user do- 
main. This assures that the necessary permission 
checks are completed before the I/O command is 
sent out over system bus 2 to the peripheral sub- 

25 system. 

Figures 2A through 2D show the I/O command 
sent out over system bus 2. Figure 2E shows the 
format of the virtual I/O command with ring number 
and virtual channel number and the translated 

30 physical I/O command with its" physical channel 
number. 

Note that throughout the specification the nota- 
tion "IO" will refer to Figures 2A, 2B and 2C. The 
notation "I/O" will refer to Figures 2A, 2B, 2C and 
35 2D; that is. the notation "I/O" will encompass IO 
and IOLD. 

Figure 2A shows the format of an IO output 
command generated by the CPU. The signals over 
system bus 2 include 32 address signals 0-23, A- 

40 H, and 32 data signals 0-31. Also included are a 
number of control signals (not shown). For the IO 
output command, address signals 8-17 specify the 
physical channel number of the distribution sub- 
system, address signals 18-23 specify the function 

45 code. Data bits 0-31 specify information which is 
transferred to the subsystem specified by the 
channel number. The data bits will perform as 
specified by the function code. 

Figure 2B shows the format of the IO input 

so command generated by the CPU which includes 
the channel number of the device and the function 
code specifying the information requested by the 
CPU. Data bits 0-9 specify the physical channel 
number of the CPU that generated the command. 

55 Data bits 16-31 specify optional information for the 
device. 

Figure 2C shows the format of the IO response 
to the IO input command. The physical channel 
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number of the source is now the physical channel 
number of the destination. Data bits 0-31 specify 
the information requested by the function code of 
the originating command. There is no virtual to 
physical channel number translation required for 
the source channel number of Figure 2B and the 
physical channel number of Figure 2C. 

Figure 2D shows the format of the 2 cycles of 
the input/output load (IOLD) output command. The 
first cycle specifies the starting memory 8 address 
of a block transfer and the second cycle specifies 
the range or number of words in the block. 

Note that the function code of hexadecimal 09 
indicates the 32 bit address is specified by the 16 
address bits A-H, 0-7 and 16 data bits 0-15. Func- 
tion code hexadecimal OD indicates that data bits 
0-15 specify the range. Address bits 8-17 specify 
the channel number of the same device during 
both bus cycles. 

Figure 2E shows the format of the virtual I/O 
channel number command and the format of the 
translated physical I/O channel number command. 
Note that the physical channel number specified by 
address bits 8-17 of Figures 2A, 2B and 2D were 
translated from the virtual channel number 2-8 and 
the direction (D) bit 9. The remaining address and 
data bits are transferred without translation. 

I/O channel numbers range from hexadecimal 
010 through 3FF. CPU channel numbers range 
from hexadecimal- 000 through OOF. Full duplex 
devices, such as communication lines, use two 
channel numbers with the low order bit (D) identify- 
ing which half of the line, transmit or receive, is 
being addressed. 

Virtual channels range from 0-63, with one 
page of kernel-only I/O descriptors, and one page 
of shared I/O descriptors. The page to be accessed 
is determined by Bit 2 (MSB) of the virtual channel 
number. 

Half duplex devices, such as tape drives, use 
the D bit at logical 0 to specify an input operation 
and at logical 1 to specify an output operation. 

Unidirectional devices, such as card readers, 
would have the D bit set at logical 0 (an even 
function code). 

Ring protection consists of a set of hierarchical 
levels of protection and may be visualized as a set 
of N concentric circles "numbered 0, 1, 2....N-1, 
from the inside out. The memory 8 space included 
in circle 0 is called ring 0, the memory 8 space 
included between circles 1 and 2 is called ring 2. 
Every segment of a process is placed in one ring 
of memory 8. The closer a segment is to the 
center, the greater its protection and privilege. Four 
rings numbered 0, 1, 2 and 3 are supported by the 
CSS, ring 0 is the most privileged and ring 3 the 
least. 

The Security Kernel of the Operating System 



with the exception of the I/O resides in the ring 0. 
The process scheduling of the memory manage- 
ment resides in ring 1. Trusted software resides in 
ring 2. Trusted software can violate either a secu- 

5 rity or integrity property enforced by the Security 
Kernel. Trusted software also provides functionality 
requiring high integrity. User Applications are in 
ring 3, the least privileged and are supported by an 
untrusted ring 2 Secure Kernel Interface Package. 

w Application Software cannot run on top of trusted 
software. 

A user is given a classification by the operating 
system. The classifications are unclassified, secret 
and top secret. This gives ,the user access to 

75 processes in specific rings. Assuming a user with a 
top secret classification is given access to ring 1 , a 
secret user is given access to ring 2 and an 
unclassified user is given access to ring 3, then the 
following rules apply. A user cannot read up; that 

20 is, a user with a secret classification who is given 
access to processes in ring 2 cannot read pro- 
cesses in ring 1 or ring 0. A user cannot write 
down; that is. the user with the secret classification 
may not write a process in ring 3. 

25 A procedure has associated with it thre^ying 

numbers R1 , R2 and R3, called its ring brackets. If 
R3 > R2, the procedure is a gate for ring R2 t 
accessible from rings no higher than R3. If R2 = R3, 
the procedure is not a gate. 

30 Figure 3 shows a. portion of the VMMU and the 

CPU which are a part of the invention. It should be 
noted that VMMU 0 4-8 and VMMU 1 4-10, as well 
as CPU 0 4-2 and CPU t 4-4 are duplicates. 
Therefore VMMU 0 4-8 and CPU 0 4-2 will be used 

35 to describe the invention. However it is-understood 
that the invention could operate equally well with 
VMMU 1 4-10 and CPU 1 4-4. 

A register file 46 of CPU 0 4-2 includes sixty- 
four 32 bit registers. The functions of these regis- 

40 ters are described in U.S. application Serial No. 
722,237, entitled "Microprocessors on a Single 
Semiconductor Chip". Also included is a descriptor 
segment base register that is duplicated in the 
VMMU 0 4-8 VM-RAM 30. 

45 Operands are received from BP bus 38, stored 

.in a data-in register 26, and stored in a register of 
register file 46 via B bus 40, an arithmetic logic unit 
(ALU) 48, a Bl bus 44, or a shifter 24 and Bi bus 
44. An arithmetic operation is performed on two 

so operands in register file 46 by reading one operand 
into the A bus 42 and another operand over B bus 
40, and applying both operands to their respective 
ALU 48 inputs. 

The ALU 48 performs the arithmetic operation 

55 specified by control store 4-12 signals (not shown). 
The result of the arithmetic operation is written 
back into register file 46 vis Bl bus 44 or via the 
shifter and the Bl bus 44. 
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A 32 bit Q register 22 acts as an extension of 
the ALU 48 to process 64 bit operands. Q register 
22 also stores partial products and partial quotients 
during the execution of binary multiplication and 
division instructions. The shifter 24 is operative with 
the ALU 48 for executing normal 32 bit shift oper- 
ations. The shifter 24 is operative with the Q regis- 
ter 22 and the ALU 48 to execute 64 bit shift 
operations. Control signals (not shown) from control 
store 4-12 control all of . the operations of the regis- 
ter file 44, ALU 48 t shifter 24 t Q register 22 and 
data-in register 26. 

The VMMU 0 4-8 includes a decoder 32 which 
receives control store 4-12 signals to address one 
of the twenty-eight locations of a 32 bit virtual 
memory random access memory (VM-RAM) 30. 
The portion of the DSBR 54 of this invention is 
stored in two locations of the VM-RAM 30. Informa- 
tion is loaded into VM-RAM 30 from BP bus 38, BP 
latch 36 and internal bus 34. Control signals (not 
shown) control the input and output of latch 36. 

Figure 4 shows the logic flow for translating the 
virtual I/O command to a physical I/O command as 
shown in Figure 2E. 

The operating system maintains an. access 
control list for each device that defines which users 
have access to the device. Whenever a process 
needs to address a new device, the operating 
system checks the list of the target devices to 
determine if access is allowed to the process. If 
access is allowed, the operating system 50 gen- 
erates the virtual I/O command 52 which is stored 
in a location in memory 8 and also loads the 
following information into DSBR 54 which is stored 
in the location in VM-RAM 30. 

Bit 0, if set, indicates that a new stack is to be 
used and the Call and Return Instructions are al- 
lowed. This is not a part of the invention and is 
therefore not described further. 

Bit 1, if set indicates that virtual I/O commands 
are generated by the operating system 50. 

Bits 4-23 specify the physical page frame base 
address in memory 8. However, bits 24-31 offset 
the base address to allow a descriptor segment 
page table 56 to start at a module 4 word bound- 
ary. 

The descriptor segment page table 56 includes 
four page descriptors PD0 through PD3 which are 
used in the normal virtual memory address to 
physical memory address translation. This normal 
operation also includes processing the IOLD range 
commands. 

The descriptor segment page table 58 also 
includes an I/O page descriptor 4 and an I/O page 
descriptor 5. The state of the high order bit of the 
virtual channel number (bit 2 of the virtual I/O 
command) specifies that hexadecimal 8 is added to 
the offset base address to locate I/O page descrip- 



tor 4. Hexadecimal A is added to the offset base 
address to locate I/O page descriptor 5. 

The I/O page descriptor 4 points to a table of 
64 I/O descriptors (not shown) and I/O page de- 

5 scriptor 5 points to a table of 64 I/O descriptors 
identified as 63 through 127. The I/O descriptor is 
typical of those selected by I/O page descriptor 5. 

There are 128 I/O descriptors divided into 64 
global descriptors and 64 local descriptors. Global 

w descriptors are considered system device descrip- 
tors and are used to allow the security kernel to 
access the kernel file system devices within any 
process. Local descriptors are defined as being 
private to the process and are associated with the 

/5 user I/O devices which are mapped into the pro- 
cesses address space by the security kernel. 

The information in the I/O page descriptor 5 is 
as follows. 

Bit 0 specifies the valid indicator (V) which 
20 indicates a valid I/O page descriptor. 

Bit 1 specifies the used indicator (U). which 
indicates that the page was accessed. 

Bit 2 specifies the modified indicator (M) which 
indicates that the page was modified. 
25 Bits 4-23 specify the physical page frame num- 

ber address of the I/O descriptor table 58. 

Bits 26-30 specify the number of virtual device 
descriptors in the I/O descriptor table 58. A fault is 
indicated if the virtual channel number is larger 
30 than the I/O device table size. 

The physical page frame number specifies the 
memory 8 base address of the I/O descriptor table 
58. The virtual channel number bits 2-8 point to the 
I/O descriptor in the I/O descriptor table 58. 
35 The I/O descriptor defines the access rights the 

process has to the device for the read or write 
operation, and the physical channel number of the 
device. Other information in the I/O descriptor is as 
follows. 

40 Bit 0, the valid indicator (V) indicates an I/O 

channel fault (trap 37), if at ZERO. 

Bit 1, the read-permit indicator (R) allows an 
IOLD instruction specifying a read operation if the 
bit is a ONE and the process is being executed in 

45 a ring number less than or" equal to R2. if this 
access check is not met, then an I/O channel 
access fault, (trap 38), is indicated. 

Bit 2 f the write-protect indicator (W) allows an 
IOLD specifying a write operation if the bit is a 

so ONE and the process is being executed in a ring 
less than or equal to R1. If this access check is not 
met, then an I/O channel access fault is indicated. 

For IOLD instructions, bits 4 and 5, R1. speci- 
fies the highest ring number of the write bracket for 

55 the media of this device. Bits 6 and 7, R2. specifies 
the highest ring number of the read bracket for this 
device. 

For IO instructions, bits 4 and 5, R1, specifies 
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the highest ring number of the control bracket for 
this device. 

Bits 16-22 must be ZERO and bits 23-31 plus 
the original direction bit D of the virtual channel 
number make up the physical channel number of 
the I/O device and whether the command is a read 
command or a write command. 

The DSBR 54 is loaded with a unique frame 
number and offset for each user. DSBR bits 4-31, 
therefore, point to a unique Descriptor Segment 
Page Table 56. There are as many descriptor seg- 
ment page tables 56 as the.re are users. There is 
also a unique process descriptor segment 60 for 
each user. 

The total memory size for system 1 is up to 1 6 
megabytes of physical memory and 2 gigabytes of 
virtual memory. Memory 8 stores the physical 
memory bytes and a number of mass storage 
devices store the virtual memory bytes. 

A segment size may be up to 2 megabytes. A 
process may include up to 1024 segments. A page 
contains 2K bytes with up to 1024 pages per 
segment. The virtual address is expressed as a 10 
bit segment number and a 20 bit displacement, 
which in conjunction with the contents of the DSBR 
54 and the following tables generate the memory 8 
physical address of the desired double word (30 
bits). 

j In the unique process descriptor segment that 
contains all descriptors of a process.-the descriptor 
segment page* table 56 includes descriptor (PD) 0 
which points to segment descriptors (SD) 0-255, 
PD 1 which points to SD 256-511, PD 2 which 
points to SD 512-767 and PD 3 which points to SD 
768-1023. 

PD 0 through PD 3 each point to their respec- 
tive segment descriptor tables. The contents of the 
segment descriptor tables, if paged, point to a table 
of page descriptors. The page table stores descrip- 
tors that contain the physical addresses in main 
memory 8 which correspond to the virtual address 
generated by the operating system. This is normal 
system operation for translating virtual memory ad- 
dresses to physical memory addresses. 

During normal operation the IOLD range com- 
mand of Figure 2D is processed as follows. 

A selected page descriptor of descriptor seg- 
ment page table 56, for example PD1, is loaded 
with the page number of a processor descriptor 
segment 60. Each processor descriptor segment 
60 includes 256 segment descriptors per page. In 
addition to the validity (V) bit 0. bit 1 is a privileged 
indicator (PR). If set, execution of privileged 
instructions is allowed only if in ring 0. if not set, no 
privileged instructions are allowed and if one is 
encountered then a trap 13 is called. The IOLD <IO) 
bit 2 set indicates that this is an IOLD buffer 
segment for direct memory access (DMA) trans- 



fers. If not set and an (OLD instruction is executed 
specifying this segment, then a protected memory 
trap 14 is called. 

The page number bits 4 through 22 plus the 

s offset bits 23 through 31 of the processor descrip- 
tor segment 60 point to a selected page descriptor 
(PDX) of an IOLD buffer segment page table 62 
which stores 1024 thirty-two bit page descriptors. 
Bits 0, 1 and 2 (V, U and M) were described 

iq supra. The page number bits 4 through 23 of the 
IOLD buffer segment page table 62 points to an 
IOLD buffer segment page frame 64 in memory 8. 
The maximum buffer page size is 2048 bytes if the 
page number of the IOLD buffer segment page 

15 table 62 points to the base address of the page 
frame 64. If the base address is incremented by an 
offset, then the range is less than 2048 bytes since 
a page crossing is not allowed. 

It should be noted that during the first transla- 

20 tion for a user of virtual I/O to physical I/O, that 
portions of the contents of the descriptor segment 
page table 56 and portions of the contents of the 
I/O descriptor table 58 are brought into cache 4-6. 
Subsequent I/O command translations required for 

25 the same user may be accomplished at the cache 
4-6 speed rather than the slower memory 8 speed. 

For the Figure 5 description the commands of 
Figures 2A through 2C are called IO commands 
and the commands of Figure 2D are called IOLD 

30 commands. The firmware will treat both cycles of 
the IOLD command as an IOLD command. Then* 
notation I/O will refer to bothJO and IOLD. 

Figure 5 is a flow diagram of the Virtual I/O 
Firmware implementation. The CPU 0 4-2 executes 

35 the software instructions which in turn address the 
B portion of the control store 4-12 in order to 
translate the virtual I/O channel number to the 
physical I/O channel number. 

Decision block 72 tests bit 1 of the contents of 

40 the DSBR 54 and branches to block 74 if this is not 
a virtual I/O operation. The decision blocks are 
implemented by transferring information to register 
file 46. Figure 3, performing the actions called for 
in ALU 48 and shifter 24 and transferring the result 

45 back into register file 46 where it is available to the 
firmware. This is accomplished by signals from 
control store 4-12. Block 74 interprets the com- 
mand as having a physical channel number and 
causes the CPU 0 4-2 to send the command di- 
sc rectly over system bus 2. Otherwise decision block 
76 reads bits 0 and 1 of the current ring number of 
the I/O. instruction in memory that the CPU 0 4-2 is 
executing. If it is not a privileged instruction; that is, 
it is not a ring 0 or ring 1 instruction, then block 78 

55 calls for a trap 13 to notify the operating system to 
stop the process. 

Otherwise block 80 computes the location in 
memory 8 of the I/O page descriptors 4 or 5 of the 
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descriptor segment page table (DSPT) 56. This is 
done by the CPU 0 4-2 adding the base address, 
(bits 4-31 of descriptor segment base register 54) 
to either hexadecimal 8 or hexadecimal A, depend- 
ing on the state of the high order bit of the virtual 
channel number (bit 2). 

Block 82 fetches the I/O page descriptor from 
memory 8 location and stores it in a working regis- 
ter of the CPU 0 4-2 register file 46. Figure 3. 

Decision block 84 tests the valid (V) bit 0 of the 
I/O page descriptor. The valid bit true indicates that 
the page is in memory 8. If not true, then a page 
fault is generated to tell the operating system to 
bring the page into memory 8. The page is usually 
in the disk subsystem. Block 86 would then call for 
a standard page fault routine which is implemented 
by hardware. 

Otherwise block 88 stores the I/O page de- 
scriptor from the descriptor segment page table 56 
in a working register of the CPU 0 4-2. register file 
46. The location in memory 8 of the I/O descriptor 
is generated by adding the virtual channel number 
to the physical page frame number of the I/O page 
descriptor. 

Decision block 90 compares the table size 
stored in the I/O page descriptor with the virtual 
channel number to make sure that the I/O descrip- 
tor table 58 can accommodate the virtual channel 
number. If the virtual channel number is greater 
than the size, then block 92 calls for a trap 37 
indicating a virtual channel number bound fault. 

If the I/O descriptor table 58 is large enough* 
then block 94 fetches the I/O descriptor from mem- 
ory 8 and stores it in a working register of CPU 0 
4-2, register file 46. 

Decision block 96 tests the valid (V) bit 0 of the 
I/O descriptor and branches to block 98 if the bit is 
reset to indicate an I/O fault trap number 37. 

Otherwise block 100 computes R e ff from the 
ring bits 0 and 1 of the virtual I/O command. 

R eff is the maximum value (least privileged) of 
the rings in which are stored the commands that 
make up the IOLD or I/O command. 

Decision block 101 tests if the virtual I/O com- 
mand is an IO command. Figures 2A, 2B or 2C, or 
an IOLD command, Figure 2D, by examining the 
OP code field of the instruction in memory 8 that 
initiated the command. If the instruction calls for an 
IO command, then decision block 103 tests the R e n 
value against R1 in the I/O descriptor. If the value 
of R sf( is greater than R1, then block 105 initiates a 
trap 38 I/O access fault operation. If R el f is less 
than or equal to R1 , then the firmware branches to 
block 118 which replaces the virtual channel num- 
ber with the physical channel number from the I/O 
descriptor of the I/O descriptor table 58. 

Decision block 102 tests the D bit 9 of the 
virtual I/O command. If bit 9 indicates a device 



input command, the decision block 108 tests if the 
R bit 1 of the I/O descriptor is set and if R 6 <t is less 
than or equal to R2, bits 6 and 7 of the I/O 
descriptor. If yes, then block 140 sets the M bit 2 
5 in the IOLD buffer page descriptor, if not. then 
block 106 calls for an access fault 38 via the 
firmware access checking. 

If decision block 102 indicated a device output 
command by testing the state of the O bit in the 

to virtual IOLD command, then decision block 104 
tests that the- W bit of the I/O descriptor is set and 
the value R ef t is less than or equal to R1 (bits 4 and 
5) of the I/O descriptor. Otherwise block 106 gen- 
erates the trap 38. 

75 Block 110 sets the modifier (M) bit (bit 2) of the 

I/O page descriptor. 

Decision block 112 tests if I/O bit 2 in the 
segment descriptor for the IOLD buffer located in 
the processor descriptor segment (PDS) 60 is set. 

20 If not set then block 114 calls for a trap 14 
protection violation routine. Otherwise decision 
block 116 tests if the IOLD buffer size is less than 
or equal to 2048 bytes by comparing a constant 
(2048) with range data field bits 0-15 of the range 

25 of Figure 2D, second cycle. To assure that the 
range will not cross the page, the firmware checks 
that the range of Figure 2D plus the offset is not 
greater than 2048. The offset is calculated during 
the normal virtual to physical address translation. If 

30 either test fails, then block 114 calls for the trap 14 
protection violation routine. 

If both tests are successful, then block 11£} 
replaces the virtual channel number of the virtual 
I/O command with the physical channel number 

35 contained in the I/O descriptor. 

The firmware then branches to block 74 and 
the IO or IOLD commands are treated as a normal 
command and is treated by the sybsystems coup- 
led to the system bus 2, Figure 1. as any normal 

40 command. 

While the invention has been shown and de- 
scribed with reference to the preferred embodiment 
thereof, it will be understood by those skilled in the 
art that the above and other changes in form and 

45 detail may be made therein without departing from 
the spirit and scope of the invention. 

Claims 

50 

1. Apparatus for translating a virtual I/O com- 
mand to a physical I/O command comprising: 
first means for storing a virtual I/O command in- 
cluding a virtual channel number identifying a de- 
55 vice: 

second means for storing a descriptor segment 
identifying a user; 

a first table means coupled to said first and second 
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means and responsive to a first portion of said 
channel number and said descriptor segment for 
locating an I/O page descriptor identifying a family 
of devices available to said user; 
a second table means coupled to said first means 
and said first table means and responsive to said 
channel number and said I/O page descriptor for 
locating an I/O descriptor including a physical 
channel number identifying said device; 
third means coupled to said first means and said 
second table means for replacing said, virtual chan- 
nel number by said physical channel number there- 
by generating said physical I/O command. 

2. Apparatus for translating a virtual I/O com- 
mand requested by a user to a physical I/O com- 
mand comprising: 

first means for storing a virtual I/O command in- 
cluding a virtual channel number identifying a de- 
vice; 

second means for storing a descriptor segment, 
said descriptor segment including a first field iden- 
tifying said user; 

a first table means coupled to said first and second 
means and responsive to the contents of said first 
field and a first portion of said virtual channel 
number for locating an I/O page descriptor, said I/O 
page descriptor including a second field identifying 
each device available to said user; 
a second table means coupled to said first means 
and said first table means and responsive to the 
contents of said second field 'and said virtual chan- 
nel number for locating an I/O descriptor, said I/O 
descriptor including a third field containing a phys- 
ical channel number identifying said device; 
third means coupled to said first means for replac- 
ing said virtual channel number by said physical 
channel number thereby generating said physical 
I/O command. 

3. Apparatus for translating a virtual 
input/output (I/O) command requested by a user to 
a physical I/O command identifying a device, said 
apparatus comprising: 

a first means for storing said virtual I/O command 
including a virtual channel number identifying said 
device and a first ring number identifying the privi- 
lege of said userr 

a second means for storing decriptor segment in- 
cluding a first field identifying said user; 
a first table means coupled to said first and said 
second means and responsive to the contents of 
said first field and a first portion of said virtual 
channel number for locating an I/O page descriptor, 
said I/O page descriptor including a second field 
identifying the family of devices accessible to said 
user; 

a second table means coupled to said first means 
and said first table means and responsive to said 
virtual channel number and the contents of said 



second field for locating an I/O descriptor, said I/O 
descriptor including a second ring number and a 
third field containing a physical channel number 
identifying said device; 

s "comparing means coupled to said first means and 
said second table means for verifying that said 
second ring number is greater than or equal to said 
first ring number thereby verifying that said user 
has privileged access to said device; 

w third means coupled to said comparing means, 
said first means and said second table means for 
replacing said virtual channel number and said first 
ring number by said physical channel number 
thereby generating said physical I/O command. 

rs 4. Apparatus for translating a virtual I/O com- 

mand requested by a user to a physical I/O com- 
mand identifying a device, said apparatus compris- 
ing: 

a first means for storing said virtual I/O command 
20 including a virtual channel number identifying said 
device, a first ring number identifying the privilege 
of said user and a direction bit indicating a read or 
a write operation; 

a second means storing a descriptor segment in- 

25 eluding an I/O identifie^jp a first state indicating 
that the command is a"virtual I/O command, and in 
a second state indicating that the command is a 
physical I/O command and no further action is 
required, said descriptor segment further including 

30 a first field identifying said user; 

a first table means coupled to said first and said 
second means and responsive to the contents of 
said first field and a first portion of said- virtual 
channel number for locating an I/O page descriptor 

35 including a second field identifying the family of 
devices accessible to said user; 
a second table means coupled to said first means 
and responsive to the contents of said second field 
and said virtual channel number for locating an I/O 

40 descriptor including a read bit or a write bit, a 
second ring number and a physical channel num- 
ber identifying said device; 

comparing means for verifying that said second 
ring number is greater than or equal to said first 

45 ring number thereby verifying that said user has 
privileged access to said device, and further verify- 
ing that said direction bit in a first state is equal to 
the state of said read bit in a first state and said 
direction bit in a second state is equal to the state 

so . of said write bit; 

third means coupled to said comparing means, 
said first means and said second table means for 
replacing said virtual channel number and said first 
ring number by said physical channel number if the 

55 results of the comparison show that the read, or 
write physical I/O command is compatible with. said 
read bit or said write bit and said user has privi- 
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leged access to said device, 

thereby generating said physical I/O command for 

transfer over a system bus. 

5. Apparatus for translating a virtual (OLD com- 
mand requested by a user to a physical IOLD 
command identifying a device, said apparatus 
comprising: 

a first means for storing said virtual IOLD command 
including a virtual channel number identifying said 
device and a first ring number identifying the privi- 
lege of said user and a range specifying the size of 
a biock of data being transferred; 
a second means for storing a descriptor segment 
including a first field identifying said user; 
a first table means coupled to said first and said 
second means and responsive to the contents of 
said first field and a first portion of said virtual 
channel number for locating an I/O page descriptor, 
said I/O page descriptor including a second field 
identifying the family of devices accessible to said 
user; 

said first table means further including a page 
descriptor means for specifying a base address of 
a buffer storing said block of data; 
a second table means coupled to said first means 
and said first table means and responsive to said 
virtual channel number and the contents of said 
second field for locating an I/O descriptor, said I/O 
descriptor including a second ring number and a 
" third field containing a physical channel number 
identifying said device; 

first comparing means coupled to said first means 
and said second table means for verifying that, 
said second ring number is greater than or equal to 
said first ring number thereby verifying that said 
user has privileged access to said device; 
second comparing means coupled to said first 
means and said first table means for verifying that 
said range is less than or equal to a predetermined 
amount and that said buffer does not overflow a 
page; and 

third means coupled to said first and said second 
comparing means, said first means and said sec- 
ond table means for replacing said virtual channel 
number and said first ring number by said physical 
channel number thereby generating said physical 
I/O command. 

6. A method of translating a virtual IO com- 
mand to a physical IO command including the 
steps of: 

A. testing if the new IO bit stored in a 
descriptor segment base register is set indicating a 
virtual I/O command; 

8. testing if the ring number of the virtual I/O 
command is less than or equal to ONE indicating 
that the command is privileged; 

C, computing the location of an I/O page 
descriptor; 



D. storing an I/O page descriptor in a mem- 
ory location; 

E. verifying the validity bit of the I/O page 
descriptor; 

5 F. locating an i/O descriptor by adding a 

virtual channel number to a physical page frame 
number of the I/O page descriptor; 

G. verifying that the I/O descriptor table can 
accommodate the virtual channel number; 

ro H. verifying the validity bit of the I/O descrip- 

tor; 

I. computing the value of R e ti; 
J. verifying that R e tf is less than or equal to 
the ring number R1 of the I/O descriptor; and 
75 K. replacing the virtual channel number by 

the physical channel number. 

7. A method of translating a virtual IOLD com- 
mand to a physical IOLD command including the 
steps of: 

20 A. testing if the new* I/O bit of a descriptor 

segment base register is set indicating a virtual I/O 
command; 

B. testing if the ring number of the virtual I/O 
command is less than or equal to ONE indicating 

25 that the command is privileged; 

C. computing the location of an I/O page 
descriptor; 

D. storing an I/O page descriptor in a mem- 
ory location; 

30 E. verifying the validity bit of the I/O page 

descriptor; 

F. locating an I/O descriptor by adding a 
virtual channel number to a physical page frame 
number of the I/O page descriptor; 

35 G. verifying that the I/O descriptor table can 

accommodate the virtual channel number; 

H. verifying the validity bit of the I/O descrip- 
tor; 

L computing the value of R eff ; 
40 J. testing a direction bit of the virtual IOLD 

command for an input or an output command; 

K. testing if the read bit of the I/O descriptor 
is set and if R e » is less than or equal to the ring 
bits R2 of the I/O descriptor; 
45 L. setting of the modified bit (M)' in the IOLD 

buffer page descriptor; 

M. testing if the write bit of the I/O descriptor 
is set and if R e ff is less than or equal to the ring 
bits R1 of the I/O descriptor; 
so N. testing if the I/O bit in the segment de- 

scriptor of an IOLD buffer is set; 

O. verifying that the buffer size is less than a 
predetermined value; and 

P. replacing the virtual channel number by 
55 the physical channel number. 
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